资源链接https://download.csdn.net/download/alickxc/11705813
1.CISCN-2018 Illusion:
首先查看关键点:
可以看出app通过对用户输入数据加密并比较的方式判断flag准确性,再查看so实现,
首先JNI_Onload():
获得加密函数地址:
这里函数翻译有误因为函数调推测并非C语言实现有着工整的开场白和结束语而是内联汇编实现的:
关键点是10AC函数进去看了下有着简单的位移计算并无外部引用,所以我们只要算出0x1-0xff的函数mapping返回数据再根据ASCII码剔除无关分支就能拿到Flag所以我们上手编写模拟程序:
# coding=utf-8
import logging
import ctypes
from unicorn.arm_const import UC_ARM_REG_R0,UC_ARM_REG_R1,UC_ARM_REG_R2,UC_ARM_REG_R3,UC_ARM_REG_PC,UC_ARM_REG_R6,UC_ARM_REG_SP
from unicorn import Uc,UC_ARCH_ARM,UC_MODE_THUMB,UC_PROT_ALL,UC_HOOK_CODE,UcError
UC_MEM_ALIGN = 0x1000
def align(addr, size, growl):
to = ctypes.c_uint64(UC_MEM_ALIGN).value
mask = ctypes.c_uint64(0xFFFFFFFFFFFFFFFF).value ^ ctypes.c_uint64(to - 1).value
right = addr + size
right = (right + to - 1) & mask
addr &= mask
size = right - addr
if growl:
size = (size + to - 1) & mask
return addr, size
def hook_code(uc, address, size, user_data):
# print(">>> Tracing instruction at 0x%x, instr